Next year the European Union will enact the General Data Protection Regulation, aiming to strengthen information security measures for E.U. residents. It’s a vast, complicated measure that will require international businesses large and small to more securely collect and store data in 28 member states.

Roughly half of the companies that will be affected by the GDPR have begun preparing for the regulations that will go into force May 25, 2018, three privacy and compliance-focused attorneys said. Large multinational corporations with the budget and resources have a head start, though the small and middle-market organizations that have yet to begin preparing will have 16 months to finish a process that may take between 12 and 24 months.

The directive affects all companies that hold or use European personal data, whether the company is located in Europe or not. It is a truly global regulation that impacts U.S. companies selling products in europe, storing servers there, and, for the first time, users’ genetic, mental, cultural, economic, or social information.

When it comes to preparation, the first step is to take a deep breath.

Then, business leaders should examine where they actually do business. Companies need to take a log of all of the personal data in their database to record where it originated and why they have it. It’s a large but necessary task meant to help compliance officers assess their current data storage situation. Using that benchmark, executives can determine what kind of work is necessary to meet the requirements.

“Identify where you have an obligation to make a privacy assessment, then document that and then start to figure out how to mitigate those issues,” said Aaron Tantleff, a partner and intellectual property lawyer at Foley & Lardner. He added companies should immediately dedicate 4% of their global revenue to GDPR. GDPR violations will incur a penalty of up to 4% of their global turnover which, for Mr. Tantleff, means that figure is a good place to start.

“Hopefully you won’t actually spend 4% on GDPR, but if you pull that money out it is going to be really hard for a regulator to say you’re not taking it seriously,” he said.

That kind of action–demonstrating a move toward compliance, even if incomplete–will go a long way toward showing good faith, multiple lawyers said.

“It’s easy to be paralyzed as a smaller company,” said Scott Vernick, a data security lawyer at Fox Rothschild. “But whenever I’m before a regulator I’d always rather be able to show affirmative steps rather than nothing at all.”

Next, web designers can start thinking about how they will meet relatively simple requirements laid out in the GDPR. The consent stipulation, which requires users to provide their authorization, can be addressed with a simple “opt-in” page, for instance, or a large message informing website visitors what kind of information is being collected, and why. Companies with the proper resources can also start accepting applications for the data protection officer position made necessary under the new regulation.

But GDPR is a broad set of rules that is still developing, and experts warn the dense privacy compliance will almost certainly require some outside assistance.

“Get help,” said Trevor Hughes, chief executive of the International Association of Privacy Professionals. “Understanding GDPR already requires understanding what has come before. The E.U. has a history of benchmarks and accepted interpretation–like the cookie directive, and the privacy directive–that mean you’re going to need people who can help you understand what all this means.”

(Jeff Stone writes exclusively for WSJ Pro Cybersecurity. He previously covered privacy, international hacking groups, bug bounties, and a range of related topics at media outlets including the Christian Science Monitor and the International Business Times. Write to Jeff at jeff.stone@wsj.com)

Email *Please fill in the required field. By clicking submit, I agree to the Privacy Policy and Cookie Policy and I understand I will receive marketing communications from Dow Jones professional information products from which I may unsubscribe using the links provided.

Thank you

Thank you for subscribing, your information has been submitted successfully.